Tuesday, November 29, 2011

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening (.mp3) or reading time.

Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies.

If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology."

James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here, e.g.:

Implemented during three successive Five-year Plans, the program has boosted China’s overall high-tech development, R&D capacity, socio-economic development, and national security.

In April 2001, the Chinese State Council approved continued implementation of the program in the 10th Five-year Plan. As one of the national S&T program trilogy in the 10th Five-year Plan, 863 Program continues to play its important role.

1. Orientation and Objectives

Objectives of this program during the 10th Five-year Plan period are to boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve “leap-frog” development in key high-tech fields in which China enjoys relative advantages or should take strategic positions in order to provide high-tech support to fulfill strategic objectives in the implementation of the third step of our modernization process.

There's more to read, but that gives you a sense of what the "letter" involves.

I hope this NPR story helps some of you realize that the China threat is not "hype." Consider Dr Lieberthal in relation to Chairman Rogers and Jim Lewis. You can decide to try to refute their positions by saying that the Chairman has "an agenda," and Mr Lewis is essentially too distant from the problem. I personally think Chairman Rogers is right on the money, but I sometimes question where Mr Lewis gets his information.

Dr Lieberthal, however, is one of the world's finest minds regarding China (Wikipedia entry), and he served in the Clinton administration. He even wrote a book on how to achieve corporate success in China (Managing the China Challenge: How to Achieve Corporate Success in the People's Republic). He is not a "China hawk" trying to start some kind of "war" with the Chinese, yet he takes the threat seriously enough to discuss the countermeasures he takes when visiting China ten times a year. Do those who doubt the China threat still believe it's all "hype"?

The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering.

Later he asks Siri to tell him about "incident 15":

Near the end Dustin asks Siri if she likes Network Security Monitoring:

This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing!

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.

Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).

I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

What's so significant about that section? The ONCIX is naming names right from the start, and concentrating squarely on China and Russia.

Contrast the 2011 approach with the 2008 report. If you search for "China" in the 2008 edition, you'll see only these sections in the main body of the report:

China and Russia accounted for a considerable portion of foreign visits to DOE facilities during FY 2008.

China continues to be a leading competitor in the race for clean coal technology.

The DNI Open Source Center (OSC) contributes to the CI community’s effort againstChina by monitoring foreign-language publications and Web sites for indications ofthreats and sharing this information with appropriate agencies, including lawenforcement.

That's very different from the direct approach taken in 2011. However, if you check "Appendix B: Selected Arrests and Convictions for Economic Collection and Industrial Espionage Cases in FY 2008," in the 2008 report, you find China listed as the perpetrator of 7 of the 23 cases! So, although China has been an active threat for many years, only now is the ONCIX shining the spotlight on that country (along with Russia) as primary threats to US secrets and intellectual property.

I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection, published in July 2004. Check out what I wrote in the first paragraphs now available online.Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant.

This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision.

Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail. I wrote that eight years ago, and thankfully my concept that "prevention eventually fails" (which I coined in that book) is finally gaining ground.Tweet

Tuesday, November 22, 2011

I've posted about twenty FISMA stories over the years on this blog, but I haven't said anything for the last year and a half. After reading Goodbye DIACAP, Hello DIARMF by Len Marzigliano, however, I thought it time to reiterate why the newly "improved" FISMA is still a colossal failure.

First, a disclaimer: it's easy to be a cynic and a curmudgeon when the government and security are involved. However, I think it is important for me to discuss this subject because it represents an incredible divergence between security people. On one side of the divide we have "input-centric," "control-compliant," "we-can-prevent-the-threat" folks, and on the other side we have "output-centric," "field-assessed," "prevention eventually fails" folks. FISMA fans are the former and I am the latter.

So what's the problem with FISMA? In his article Len expertly discusses the new DoD Information Assurance Risk Management Framework (DIARMF) in comparison to the older DoD Information Assurance Certification and Accreditation Process (DIACAP). DIARMF is a result of the "new FISMA" emphasis on "continuous monitoring" which I've discussed before.

Len writes "DIARMF represents DoD adoption of the NIST Risk Management Framework process" and provides the diagram at left with the caption "The six major steps of Risk Management Framework aligned with the five phases of a System Development Lifecycle (SDLC)."

Equally profound within DIARMF is the increased requirements for Continuous Monitoring activities. Each control (and control enhancement) will be attributed with a refresh rate (daily, weekly, monthly, yearly) and requisite updates on the status of each control will be packaged into a standardized XML format and uploaded into the CyberScope system where analysis, risk management, and correlation activities will be performed on the aggregate data.

Rather than checking on the security posture every three years or whatever insane interval that the old FISMA used, the new FISMA checks security posture more regularly, and centralizes posture reporting.

Wait, isn't that a good idea? Yes, it's a great idea -- but it's still control monitoring. I can't stress this enough; under the new system, a box can be totally owned but appear "green" on the FISMA dashboard because it's compliant with controls. Why? There is no emphasis on threat monitoring -- incident detection and response -- which is the only hope we have against any real adversary.

Think I'm wrong? Read Len's words on CyberScope:

CyberScope is akin to a giant federal-wide SEIM system, where high-level incident management teams can quickly pull queries or drill down into system details to add analysis on system defenses and vulnerabilities to the available intelligence on an attack. CyberScope data will also be used to track trends, make risk management decisions, and determine where help is needed to improve security posture.

If you're still not accepting the point, consider this football analogy.

Under the old system, you measured the height, weight, 40 yard dash, and other "combine" results on a player when he joined the team. You checked again three years later. You kept data on all your players but had no idea what the score of the game was.

Under the new system, you measure the height, weight, 40 yard dash, and other "combine" results on a player when he joins the team. You check again more regularly -- maybe even every hour, and store the data in a central location with a fancy Web UI. You keep data on all your players but still have no idea what the score of the game is.

Until DoD, NIST, and the other control-compliant cheerleaders figure out that this approach is a failure, the nation's computers will remain compromised.

Note: There are other problems with DIARMF -- read the section where Len says "This shakes out to easily over a hundred different possible control sets that can be attributed to systems" to see what I mean.

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage. (emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making their PII the important aspect of a digital incident.

With the SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that they have to disclose material cyber security incidents. Now the battle to define materiality will begin.